Date: 19 Jul 2001 19:05:51 +0200 From: Assar Westerlund <assar@FreeBSD.ORG> To: Matt Dillon <dillon@earth.backplane.com> Cc: "Jacques A. Vidrine" <n@nectar.com>, Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, Mike Tancsa <mike@sentex.net>, Kris Kennaway <kris@obsecurity.org>, security@FreeBSD.ORG Subject: Re: FreeBSD remote root exploit ? Message-ID: <5llmlk26j4.fsf@assaris.sics.se> In-Reply-To: Matt Dillon's message of "Thu, 19 Jul 2001 09:57:16 -0700 (PDT)" References: <200107190547.f6J5lmD66188@cwsys.cwsent.com> <200107190747.f6J7lMU71487@earth.backplane.com> <20010719102230.L27900@madman.nectar.com> <200107191657.f6JGvG574763@earth.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Matt Dillon <dillon@earth.backplane.com> writes: > Oh joy. Hmm. Then I don't know... it calls output_data() to generate > the AYT answer, I don't see anything particularly wrong with the code > unless nfrontp exceeds BUFSIZ. That's fragile, it could be that something > else is causing nfrontp to exceed BUFSIZ and breaks the snprintf() > 'remaining' calculation in output_data(). output_data adds the result from vsnprintf() to nfrontp. If there's not enough room for the formatted string in `remaining', vsnprintf() returns the size that would be required. Bad me, no cookie. /assar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5llmlk26j4.fsf>